IoT Security: Everything Starts with Awareness #NCSAM

This year has presented some of the most daunting challenges in memory as the coronavirus pandemic underscored the inability of many organizations to withstand a crisis of this magnitude, while keeping assets and resources secure.

It should come as no surprise, then, that this year’s Cybersecurity Awareness Month focused on the importance of proactive steps to enhance cybersecurity. When it comes to IoT, however, security has too often been deemphasized. Even today, with awareness at an all-time high, many organizations have not taken action and remain vulnerable.

In many IoT deployments, organizations must manage dozens, hundreds, or even thousands of decentralized, connected devices, which present tempting targets for malicious actors. With 83 billion IoT connections expected by 2024, it is more important than ever to take the right steps to protect these devices and networks. So, the question arises: Is one month enough time to plant the right cybersecurity seeds and make an impact within the IoT community?

The Continuing Fight: Awareness vs. Action

In October, many IoT professionals and organizations embraced Cybersecurity Awareness Month by highlighting their own security steps and their commitments for the coming year. Naturally, however, a gap remains between what we know and what we do.

Cybersecurity Awareness Month offers a valuable opportunity for our profession to engage in conversations about security matters. It initiates an important dialogue among our teams, customers, partners, analysts, watchdogs, and even regulators. We get to see once again how important awareness is and rededicate our efforts to putting our accumulated knowledge into practice.

This is particularly crucial in industrial IoT (IIoT) where the potential exposures – from tank sensors and intelligent streetlights to water monitors, and much more – are almost unlimited. Collectively, we are risking an incalculable amount of investment if security is not embedded within devices.

The Impact of Cybersecurity in IIoT

The consequences of a breach in IIoT are far more extensive than one in consumer-grade IoT, because it affects both the company’s resources and the people they serve. For example, last year, a denial-of-service attack disrupted swaths of the electrical system in California, Utah, and Wyoming. These threats are reported on daily, but what do they mean for IoT deployments? Some of the major pitfalls that organizations must contend with include:

Treating security as an afterthought – The good news is that more companies are recognizing the critical importance of security and are no longer treating it as a mere afterthought. The bad news: The pandemic has taken a massive toll on IT budgets.

Even if organizations want security embedded in their devices, they don’t prioritize the investments that built-in security requires and choose cheaper products that look and feel “OK.” This will slowly but steadily shift in the coming year as organizations finally factor in the unacceptable risks of faulty security settings and inadequate encryption/privacy protection in order to protect themselves from liabilities and compliance issues.

With governments enacting and expanding regulatory frameworks such as NIST’s IoT security framework, these overlooked items will become legal requirements and table stakes for IIoT.

“Set it and forget it” mentality – The lifespan of an IIoT device can range from 10-15 years, which means it’s essential to update firmware and patch software to ensure security is at the highest level. However, when an organization deploys thousands of devices and operates them without a second thought, problems can arise.

In fact, a Digi International study found that 43% of IIOT devices communicate through insecure means (as opposed to 98% of consumer devices) and that the root case is a lack of firmware updates. Moving forward, we expect organizations will rely more on centralized device management tools to improve control and visibility into their full network instead of managing at the device level. These tools can help administrators update firmware, apply security patches, troubleshoot through out-of-band-management, and reconfigure devices in bulk through a single access point.

Authentication and device identity – Passwords remain the most common authentication method, but password stuffing, brute force, and many more growing threats mean passwords alone are not enough.

Multi-factor authentication (MFA) will increase considerably in IIoT deployments to ensure the right people have access by going beyond the standard user name and password, and adding other factors such as location, IP address, and verification of “something the user has” such as a smartphone or electronic key fob.

Beyond Cybersecurity Awareness Month

With COVID-19 cases on the rise again, a growing population of people working remotely, and threat actors taking advantage of the situation, we find ourselves in a perfect storm for security to become a top priority.

If there is one takeaway from this Cybersecurity Awareness Month, it’s this: Education and open communication among peers will take us to the next level – action. This month has highlighted that now’s the time to put knowledge into action to fully secure the IIoT.

What’s Hot on Infosecurity Magazine?